Skip to content
This repository has been archived by the owner on Apr 22, 2024. It is now read-only.

Commit

Permalink
Merge pull request #1993 from aembler/hotfix/private-messages
Browse files Browse the repository at this point in the history
Fixing error marking a message as read; fixing error with reply disclosing too much.
  • Loading branch information
aembler authored Feb 26, 2019
2 parents bb957f1 + 385c006 commit 150aa36
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
10 changes: 10 additions & 0 deletions web/concrete/core/controllers/single_pages/profile/messages.php
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,16 @@ public function reply($boxID, $msgID) {
$msg = UserPrivateMessage::getByID($msgID);
$uID = $msg->getMessageRelevantUserID();
$this->validateUser($uID);

// Make sure we are allowed to view this
$viewingUser = new User();
$viewingUserInfo = UserInfo::getByID($viewingUser->getUserID());
$isSentToUser = (int) $msg->getMessageUserToID() == (int) $viewingUserInfo->getUserID();
if (!$isSentToUser && !$viewingUserInfo->canReadPrivateMessage($msg)) {
$this->redirect('/profile/messages');
return;
}

$this->set('backURL', View::url('/profile/messages', 'view_message', $boxID, $msgID));
$this->set('msgID', $msgID);
$this->set('box', $boxID);
Expand Down
2 changes: 1 addition & 1 deletion web/concrete/core/models/user_private_message.php
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ public function markAsRead() {
$db = Loader::db();
if ($this->uID != $this->uAuthorID) {
Events::fire('on_private_message_marked_as_read', $this);
$db->Execute('update UserPrivateMessagesTo set msgIsUnread = 0 where msgID = ?', array($this->msgID, $this->msgMailboxID, $this->uID));
$db->Execute('update UserPrivateMessagesTo set msgIsUnread = 0 where msgID = ?', array($this->msgID));
}
}

Expand Down

0 comments on commit 150aa36

Please sign in to comment.